Firstly I want to say the site is beautiful and simple, congratulations.

Also I think you've got a great setup here, I really like it.  The script seems easy to read so far.

On looking at a few files, like login.php, I noticed this was in there...

$dbh->prepare('SELECT * FROM users WHERE username = "'.$_POST['username'].'" AND password = "'.$password.'"');

I could be wrong but I would have thought this is actually dangerous for SQL injection as someone can put anything they like into $_POST['username'] bit since it's in the statement area of the prepare bit?

I have to admit, I haven't checked if $dbh is actually your own custom rolled mysqli object but even it if was it still seems dangerous.  I.e. I use '?' and bind parameters to prevent this issue... not a major issue at all given people would need to know the trading bot server to attack in the first place but if you decided to release it as a paid-for-service I expect this needs changing to keep users safe.

Making it open source is a great idea too, I can see people wanting to include things like SMS alerts and other exchanges for you.